Re: detecting "trinity v3 by self" DDoS agent

[Philippe Bourcier <philippe () CYBERABUSE ORG>]

re

We have detected a few weeks ago (with 2 other people from the undernet
staff) the "trinity v2 and v3 by self" on IRC (400 bots with different IPs).

We have seen self (the author) using those and then alerted some hacked
boxes admins.
...

From: Matt Power <mhpower () MIT EDU>
To: INCIDENTS () SECURITYFOCUS COM
Subject: detecting "trinity v3 by self" DDoS agent

<snip>

-- lsof output reporting that a program named /usr/lib/idle.so is
   listening on tcp port 39168 (this is the DDoS agent itself)
-- lsof output reporting that a program named /var/spool/uucp/uucico
   is listening on tcp port 33270
-- possibly other tcp or udp ports in use by the /usr/lib/idle.so
   and /var/spool/uucp/uucico programs

I will add that for trinity v2 the idle.so file is named trnty.h
and also that uucico uses a TCP connection on port 6667 (IRC) since its an
IRC bot.

All the 400 machines used seems pretty easy to hack.
The attacks made were trinoo like (pyramidal).
I have a list of the attacked sites if someone wants it.

Nicknames on IRC (UnderNet) were generated with the 6 first letters of the
machine name ("." replaced by "_" and 2 other letters (which we haven't
found the meaning) and 1 number, which is probably defining the order in the
pyramid.
ie: aquarids0 using aquarius.cryogenic.net

The hacker (self) of those 400 hacked machines seems to have stopped his
game.

114 hacked machines are still online:

151.188.3.132
151.196.77.100
152.17.140.104
195.142.1.40
195.72.83.137
201.telenet.mplik.ru
202.101.42.161
202.146.247.243
202.167.14.34
202.39.131.69
202.39.31.13
202.47.167.42
202.57.44.4
202.58.117.146
202.60.253.23
202.71.128.93
202.95.113.23
203.104.64.17
203.39.156.78
203.41.126.23
203.43.250.37
203.59.131.122
203.66.195.84
203.66.249.131
203.66.249.132
203.67.162.33
203.69.215.60
203.69.220.76
203.69.37.189
203.69.5.94
203.69.88.244
203.70.174.129
203.74.209.1
203.75.190.179
203.75.43.172
203.85.194.1
203.93.224.9
203.93.69.215
209.236.223.66
212.100.64.20
212.10.109.10
212.101.70.7
212.121.64.74
212.140.250.2
212.54.140.66
212.54.72.99
212.66.172.48
212.70.163.178
213.208.132.62
213.237.60.197
213.38.40.7
213.45.3.25
213.76.131.78
224user108.ctinets.com
226user04.ctinets.com
236user86.ctinets.com
64.121.169.86
70.adsl0.oebr.worldonline.dk
active4.lnk.telstra.net
aquarius.cryogenic.net
bg.bibl.univ.szczecin.pl
bitcharse.com
c78-s40-r49h4.upc.chello.no
c89.h202052081.is.net.tw
ca-ol-bordeaux-8-234.abo.wanadoo.fr
Chester-wl.CS.UCLA.EDU
cnit1.ing.unifi.it
cochi.e-building.net.tw
cosserv3.fau.edu
cp3147-a.venra1.lb.nl.home.com
ctv21225133043.ctv.es
cust-13-171.bredbandsbolaget.se
d3226.dtk.chello.nl
dns.msl.com.hk
dragon.dozier.nn.k12.va.us
druid.cti.gr
earth.i-net.net.au
Electra.chemistry.upatras.gr
ftp.brightled.com.tw
host1.20377106.gcn.net.tw
host249.20365165.gcn.net.tw
hosting4.hipernet.es
html.net
ins131283-1.gw.connect.com.au
ip124114.hkicable.com
isibrowse.isical.ac.in
mail.morrellcom.com
metaphy.matsc.kyutech.ac.jp
mhslinux.mville.nn.k12.va.us
moosoft.com
ms.digiport.net.tw
overland.nex.ro
pc160.iacc.com.hk
pc3045.ktk.bme.hu
pc692.trillegaarden.dk
pm41-113-3.worldpath.net
poseidon.edibit.it
PPP-91-201.bng.vsnl.net.in
psy203108084208.ozemail.com.au
reggae-30-3.nv.iinet.net.au
robt-1.soho.enteract.com
set.ciens.ula.ve
sparc20.sia.ucl.ac.be
sunrise.cs.olemiss.edu
tco11.thomson-csf.fr
tpnh.e-building.net.tw
tristar.tacloban.fapenet.org
user271.fl.sprint-hsd.net
w002.z064001249.sjc-ca.dsl.cnc.net
w038.z064001132.chi-il.dsl.cnc.net
w083.z064000186.bwi-md.dsl.cnc.net
www.cola.idv.tw
www.net-happens.com.au
www.prince.org

--------------------------------------------
 Philippe Bourcier (Mr_RIP)
--------------------------------------------
 Paris.FR.EU.UnderNet.Org
--------------------------------------------
 documents.cyberabuse.org
--------------------------------------------
ps: Victim of a smurf attack?
Mail IPs to mailing () cyberabuse org